b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n          IMPLEMENTATION OF\n     INTERNET PROTOCOL VERSION 6\n\n      August 2008    A-14-08-18064\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      August 27, 2008                                                                Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Implementation of Internet Protocol Version 6\n           (A-14-08-18064)\n\n\n           OBJECTIVE\n\n           The objective of this review was to evaluate the compliance of the Social Security\n           Administration\xe2\x80\x99s (SSA) implementation of Internet Protocol Version 6 (IPv6) with\n           Federal standards and guidelines.\n\n           BACKGROUND\n\n           Internet Protocol (IP) is the \xe2\x80\x9clanguage\xe2\x80\x9d and set of rules computers use to communicate\n           with one another over the Internet. The protocol that supports the Internet today -\n           Internet Protocol Version 4 (IPv4) \xe2\x80\x93 provides approximately 4 billion 1 IP addresses\n           worldwide. This limits the number of devices that can be given a unique Internet\n           address. IPv6 will provide exponentially more 2 IP addresses that will be essential to the\n           continued growth of the Internet and the development of new applications that leverage\n           mobile Internet connectivity. Although the information technology (IT) community has\n           worked around this IP address shortage in the IPv4 environment, the community views\n           IPv6 as the true, long-term solution to the shortage. As such, the Federal Chief\n           Information Officer (CIO) Council Architecture and Infrastructure Committee\n           recommended 3 that Federal agencies (including SSA) prepare for the future of\n           networking and Internet technology by enabling their networks to support IPv6.\n\n\n\n\n           1\n               IPv4 provides about 4,300,000,000 addresses.\n           2\n            IPv6 provides about 340 undecillion or 340,282,366,920,938,463,463,374,607,431,768,211,456\n           addresses.\n           3\n            \xe2\x80\x9cIPV6 Transition Guidance\xe2\x80\x9d was issued by the Federal CIO Council Architecture and Infrastructure\n           Committee in February 2006.\n\x0cPage 2 - The Commissioner\n\n\nOn August 2, 2005, the Office of Management and Budget (OMB) issued guidance 4 on\ntransitioning to IPv6 and established a June 30, 2008 deadline by which all agencies\xe2\x80\x99\n          5               6\nnetworks must be using IPv6.\n\nOn February 22, 2007, the National Institute of Standards and Technology (NIST)\nissued draft guidance 7 to assist Federal agencies in the implementation of IPv6. This\nguidance defines standards for IPv6 that include a list of common network devices and\n                                                                  8\ntheir minimal capabilities. The standards address host devices, routers, and network\nprotection devices (including firewalls and intrusion detection/prevention devices that\nexamine and selectively block or modify network traffic). As such, every device\nconnected to the network will be impacted.\n\nOver the past several years, the Internet Engineering Task Force (IETF) 9 and Federal\nCIO Council Architecture and Infrastructure Committee 10 have provided additional\nguidelines 11 to further assist in the successful implementation of IPv6.\n\n\n\n\n4\n    OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6, August 2, 2005.\n5\n  The deadline applies to the network backbone (also referred to as the core network) only. The backbone\n(core) is the part of the network infrastructure that connects sub-networks to provide a path for\nexchanging data. For SSA, the core network connects the National Computer Center and the six Remote\nOperation Communication Centers.\n6\n  To be using IPv6, agencies must have their network backbone (core) operating in a dual stack (IPv4 and\nIPv6) or in a pure IPv6 mode that is IPv6-compliant and configured to carry operational IPv6 traffic.\nThroughout this document implementation will denote using IPv6 on the network backbone in a dual-stack\nenvironment.\n7\n NIST, Special Publication (SP) 500-267 (Draft), A Profile for IPv6 in the U.S. Government - Version 1.0.\nThe draft was issued on February 22, 2007. Draft 2 was issued on January 23, 2008.\n8\n Host devices are nodes that are not routers. A node is a point in a network at which lines intersect or\nbranch, a device attached to a network, or a terminal or other point in a computer network where\nmessages can be created, received, or transmitted.\n9\n  The IETF is a large, open international community of network designers, operators, vendors, and\nresearchers concerned with the evolution of the Internet architecture and the smooth operation of the\nInternet; its works are referenced in Federal CIO Council guidelines.\n10\n  The Federal CIO Council Architecture and Infrastructure Committee develops policy, direction, and\nguidance in concert with the Federal Enterprise Architecture Program Management Office in OMB to drive\nbusiness process improvement, investment management, and technical decisions.\n11\n   IETF, Request for Comment (RFC) 3513, IPv6 Addressing Architecture, April 2003; IETF RFC 3587,\nIPv6 Global Unicast Address Format, August 2003; IETF RFC 4057, IPv6 Enterprise Network Scenarios,\nJune 2005; CIO Council, IPv6 Transition Guidance, February 2006; Federal CIO Council Architecture and\nInfrastructure Committee, Demonstration Plan to Support Agency IPv6 Compliance, January 28, 2008.\n\x0cPage 3 - The Commissioner\n\n\nRESULTS OF REVIEW\nSSA implemented IPv6 12 and met the Federal standards and guidelines. On\nDecember 10, 2007, SSA performed tests that demonstrated its network backbone\n(core) was capable of transporting 13 IPv6 traffic. Furthermore, SSA provided the\nrequired IPv6 documentation to OMB on February 28, 2008, 4 months ahead of the\nJune 30, 2008 deadline.\n\nAdditionally, after SSA completed its initial IPv6 implementation, it took the initiative to\nwork with the Internal Revenue Service, the Veterans Administration, and NIST to build\nan IPv6 data exchange mechanism to send and receive IPv6 data. Each participating\nagency will be able to demonstrate its ability to exchange data with an external partner\nusing IPv6 capabilities. This testing should facilitate SSA\xe2\x80\x99s continued implementation of\nIPv6. In the future, SSA needs to ensure it continues to purchase IPv6-compliant\nequipment per NIST standards.\n\nCompliance with IPv6 NIST Standards\n                  14\nNIST standards require that SSA purchase IPv6-compliant equipment. SSA\xe2\x80\x99s phased\nimplementation of IPv6 15 allows it to introduce IPv6 capability to the network\nenvironment through its normal, planned-technology refresh cycles, avoiding a\nsubstantial initial cost. Although SSA is ready to implement IPv6, it still needs to\noperate in an IPv4 environment because it has a significant number of devices that\n                                                   16\nwork under IPv4. Therefore, SSA acknowledges that IT assets and systems\nprocured, developed, or acquired must be able to operate in both IPv6 and IPv4\nenvironments. 17\n\n\n\n\n12\n  Federal CIO Council Architecture and Infrastructure Committee\xe2\x80\x99s Demonstration Plan to Support\nAgency IPv6 Compliance, issued January 28, 2008 (pp. 2 and 3).\n13\n     SSA is capable of receiving, processing and forwarding IPv6 traffic.\n14\n  NIST, SP 500-267 (Draft), A Profile for IPv6 in the U.S. Government - Version 1.0, Draft 2 dated\nJanuary 23, 2008, page 3 states: \xe2\x80\x9cThis publication seeks to assist Federal Agencies in formulating plans\nfor the acquisition of IPv6 technologies. To achieve this, we define a standards profile for IPv6 in the USG\nthat is intended to be applicable to all future uses of IPv6 in non-classified, non-national security federal IT\nsystems.\xe2\x80\x9d\n15\n  Phase 1: Network Core IPv6 Capability, was expected to be accomplished by June 2008. Phase 2:\nExtranet IPv6 Capability is expected to be accomplished by the end of Fiscal Year (FY) 2009/early\nFY 2010, and Phase 3: Edge-to-Edge IPv6 Capability is expected to be done in FY 2011/2012.\n16\n     IPv6 Integrated Project Plan, February 27, 2006.\n17\n     This is considered a dual-stack environment.\n\x0cPage 4 - The Commissioner\n\n\nAs the Agency moves forward, it needs control measures in place to ensure any new IT\nassets work with both IPv6 and IPv4 systems. This minimizes the cost of the Agency-\nwide conversion to IPv6 by ensuring that relevant IT products are procured or\ndeveloped and are capable of operating in both environments.\n\nAs part of SSA\xe2\x80\x99s IPv6 Integrated Project Plan, the Agency ensured it was complying\nwith NIST, the IETF, and Federal CIO Council Architecture and Infrastructure\nCommittee guidelines. These guidelines serve as the Agency\xe2\x80\x99s strategic planning for\nfuture acquisitions of networks that will be operational in 2010 and beyond.\n\nCONCLUSION AND RECOMMENDATIONS\nWe found SSA appropriately implemented IPv6 in accordance with Federal standards\nand guidelines. In the future, SSA plans to complete the transition to IPv6 while taking\ninto consideration the costs and impacts on business operations. Therefore, we\nrecommend SSA:\n\n1. Continue to ensure all additional IT products that are procured or developed are\n   capable of operating in IPv6 networks to minimize further cost to the Agency during\n   its transition.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nSSA agreed with our recommendation. See Appendix C for the full text of the Agency\xe2\x80\x99s\ncomments.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                        Appendix A\n\nAcronyms\nCIO    Chief Information Officer\nEA     Enterprise Architecture\nFEA    Federal Enterprise Architecture\nFY     Fiscal Year\nIETF   Internet Engineering Task Force\nIP     Internet Protocol\nIPv4   Internet Protocol Version 4\nIPv6   Internet Protocol Version 6\nIRM    Information Resources Management\nIT     Information Technology\nNIST   National Institute of Standards and Technology\nOCIO   Office of the Chief Information Officer\nOMB    Office of Management and Budget\nOS     Office of Systems\nPMO    Project Management Office\nRFC    Request for Comment\nSP     Special Publication\nSSA    Social Security Administration\n\x0c                                                                     Appendix B\n\nScope and Methodology\nOur objective was to evaluate the Social Security Administration\xe2\x80\x99s (SSA)\nimplementation of Internet Protocol Version 6 (IPv6) and its compliance with Federal\nstandards and guidelines.\n\nTo meet our objective, we examined SSA\xe2\x80\x99s Office of Management and Budget (OMB)\ndocumentation, project plans, and assessments as well as its progress report on the\nIPv6 implementation. Specifically, we examined:\n\n   \xe2\x80\xa2   IPv6 Phase 2 Network Inventory, February 28, 2006.\n   \xe2\x80\xa2   IPv6 Business Impact Assessment, February 27, 2006.\n   \xe2\x80\xa2   IPv6 Integrated Project Plan, February 27, 2006.\n   \xe2\x80\xa2   IPv6 Progress Status Report, February 27, 2006.\n   \xe2\x80\xa2   SSA Enterprise Architecture Transition Strategy for 2007 through 2012\n       (Version 2.0), February 28, 2007.\n   \xe2\x80\xa2   IPv6 Capability Inventory for Routers, Switches & Firewalls, October 19, 2005.\n   \xe2\x80\xa2   SSA\xe2\x80\x99s OMB submission from the Chief Information Officer (CIO) identifying a\n       lead for the IPv6 initiative, November 10, 2005.\n   \xe2\x80\xa2   OMB\'s "Federal Enterprise Architecture (FEA) Program Management Office\n       (PMO) Assessment for Social Security Administration (SSA) Q2 FY2006 \xe2\x80\x93\n       March 2006," April 27, 2006 and OMB\'s "FEA PMO Enterprise Architecture (EA)\n       Assessment for Social Security Administration (SSA) Q2 FY2007 \xe2\x80\x93 March 2007,"\n       November 19, 2007.\n   \xe2\x80\xa2   OMB\'s FEA PMO Quarterly Reports for June 1, 2007; September 1, 2007; and\n       December 1, 2007.\n   \xe2\x80\xa2   Social Security Administration Network Core IPv6 Capability Demonstration\n       report, December 10, 2007.\n\nWe also reviewed the following:\n\n   \xe2\x80\xa2   OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6\n       (IPv6), August 2, 2005.\n   \xe2\x80\xa2   IPv6 Transition Guidance, CIO Council, Federal CIO Council Architecture and\n       Infrastructure Committee, February 2006.\n   \xe2\x80\xa2   Demonstration Plan to Support Agency IPv6 Compliance, Federal CIO Council\n       Architecture and Infrastructure Committee, January 28, 2008, Version 1.0.\n\n\n\n                                          B-1\n\x0c    \xe2\x80\xa2   National Institute of Standards and Technology Special Publication 500-267\n        (Draft), A Profile for IPv6 in the U.S. Government \xe2\x80\x93 Version 1.0, Draft 1 dated\n        January 2007 and Draft 2 dated January 23, 2008.\n    \xe2\x80\xa2   Internet Protocol Version 6 -- Federal Government in Early Stages of Transition\n        and Key Challenges Remain, General Accountability Office, June 2006.\n    \xe2\x80\xa2   Router Security Configuration Guide Supplement - Security for IPv6 Routers,\n        National Security Agency, May 23, 2006.\n    \xe2\x80\xa2   SSA\xe2\x80\x99s Information Resources Management (IRM) Strategic Plan Fiscal\n        Year 2007.\n\nWe interviewed representatives from the following SSA components.\n\n\xe2\x80\xa2   The Office of the Chief Information Officer (OCIO) directs and manages SSA\'s\n    enterprise information technology security program. This includes establishing\n    Agency-wide security policies, managing the reporting, and monitoring processes to\n    ensure compliance.\n\xe2\x80\xa2   The Office of Systems (OS), Office of Telecommunications and Systems Operations\n    researches network prototypes, performs testing of new network technologies, and\n    implements and monitors network standards.\n\xe2\x80\xa2   OS, Office of Enterprise Support, Architecture and Engineering, modifies the EA for\n    the day-to-day operations. The EA may require additions, alterations, and\n    improvements to not only meet the requirements set forth by OMB directives but to\n    accurately reflect the architectural products being used to manage IRM resources.\n\nWe performed our field work in SSA Headquarters from November 2007 through\nMarch 2008. We determined the information used in this review was sufficiently reliable\nto meet our audit objectives. The audited entities were the OCIO and OS. We\nconducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                            B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      August 19, 2008                                                       Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster        /s/\n           Executive Counselor to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Implementation of Internet Protocol Version 6\xe2\x80\x9d (A-14-08-18064)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Attached is our response to the\n           recommendation.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n                                                         C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S IMPLEMENTATION OF\nINTERNET PROTOCOL VERSION 6\xe2\x80\x9d (A-14-08-18064)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\n\xe2\x80\x9cContinue to ensure all additional information technology (IT) products that are procured or\ndeveloped are capable of operating in Internet Protocol Version 6 (IPv6) networks to minimize\nfurther cost during its transition.\xe2\x80\x9d\n\nComment\n\nWe agree. As part of the IPv6 implementation initiative, we developed policies and procedures\nthat are closely tied to the National Institute of Standards and Technology publication of IPv6\ntechnical profiles. The content of both the policies and the procedures will establish\nconsideration of IPv6 capability for relevant IT products and components. We are currently\nreviewing the documents for final approval. We are developing similar procedures for\nmicropurchases. We believe these actions will ensure that the introduction of IPv6-based\ntechnology is cost-effective for the agency.\n\n\n\n\n                                              C-2\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Information Technology Audit Division (410) 965-9702\n\n   Mary Ellen Moyer, Acting Audit Manager (410) 966-1026\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Jan Kowalewski, Senior Program Analyst\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-08-18064.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'